jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
103 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 5881817d0d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5881817d0d'
${ noResults }
blog/content/2014/03/ctf-armeb-debugging.html

121 lines
4.5 KiB
Raw Blame History 

  1. ---

  2. title: "CTF + ARMeb + debugging"

  3. description: >

  4.   CTF + ARMeb + debugging

  5. posted: !!timestamp '2014-03-05'

  6. created: !!timestamp '2014-03-05'

  7. time: 7:21 PM

  8. tags:

  9.   - ctf

  10.   - debugging

  11.   - arm

  12. ---

  13. 

  14. I've been working on making the AVILA board work again with FreeBSD.

  15. Thanks to Jim from Netgate for sending me a board to do this work.

  16. 

  17. I still have a pending patch waiting to go through bde to fix an

  18. unaligned off_t store which gets things farther, but with the patch I'm

  19. getting a: `panic: vm_page_alloc: page 0xc0805db0 is wired` shortly after

  20. the machine launches the daemons.

  21. 

  22. I did work to get cross gdb working for armeb (committed in r261787 and

  23. r261788), but that didn't help as there is no kernel gdb support on

  24. armeb.  As I'm doing this debugging over the network, I can't dump a

  25. core.

  26. 

  27. I didn't feel like hand decoding a `struct vm_page`, so I thought of other

  28. methods, and one way is to use CTF to parse the data type and decode the

  29. data.  I know python and ctypes, so I decided to wrap libctf and see

  30. what I could do.

  31. 

  32. Getting the initial python wrapper working was easy, but my initial test

  33. data was the kernel on my amd64 box that I am developing on.  Now I

  34. needed to use real armeb CTF data.  I point it to my kernel, and I get:

  35. "`File uses more recent ELF version than libctf`".  Ok, extract the CTF

  36. data from the kernel (ctf data is stored in a section named `.SUNW_ctf`)

  37. and work on that directly:

  38. ```

  39. $ objcopy -O binary --set-section-flags optfiles=load,alloc -j .SUNW_ctf /tftpboot/kernel.avila.avila /dev/null

  40. objcopy: /tftpboot/kernel.avila.avila: File format not recognized

  41. ```

  42. 

  43. Well, ok, that's not too surprising since it's an ARMEB binary, lets try:

  44. ```

  45. $ /usr/obj/arm.armeb/usr/src.avila/tmp/usr/bin/objcopy -O binary --set-section-flags optfiles=load,alloc -j .SUNW_ctf /tftpboot/kernel.avila.avila /tmp/test.avila.ctf     

  46. $ ls -l /tmp/test.avila.ctf 

  47. -rwxr-xr-x  1 jmg  wheel  0 Mar  5 17:59 /tmp/test.avila.ctf

  48. ```

  49. 

  50. Hmm, that didn't work too well, ok, lets just use dd to extract the data

  51. using info from `objdump -x`.

  52. 

  53. Ok, now that I've done that, I get:

  54. ```

  55. ValueError: '/tmp/avila.ctf': File is not in CTF or ELF format

  56. ```

  57. 

  58. Hmm, why is that?  Well, it turns out that the endian of the CTF data

  59. is wrong.  The magic is `cf f1`, but the magic on amd64 is `f1 cf`, it's

  60. endian swapped.  That's annoying.  After spending some time trying to

  61. build an cross shared version of libctf, I find that it has the same

  62. issue.

  63. 

  64. After a bit of looking around, I discover the CTF can only ever read

  65. native endianness, but `ctfmerge` has a magic option that will write out

  66. endian swapped data if necessary depending upon the ELF file it's

  67. putting in.  This means that the CTF data in an armeb object file will

  68. be different depending upon the endian you compiled it on, so the object

  69. file isn't cross compatible.  But, this does mean that the data in the

  70. object files will be readable by libctf, just not the data written into

  71. the kernel.

  72. 

  73. So, I create a sacrificial amd64 binary:

  74. ```

  75. $ echo 'int main() {}' | cc -o /tmp/avila2.ctf -x c -

  76. ```

  77. 

  78. And use `ctfmerge` to put the data in it:

  79. ```

  80. $ ctfmerge -L fldkj -o /tmp/avila2.ctf /usr/obj/arm.armeb/usr/src.avila/sys/AVILA/*.o

  81. ```

  82. 

  83. and again use `dd` to extract the `.SUNW_ctf` section into a separate file.

  84. 

  85. With all this work, I finally have the CTF data in a format that libctf

  86. can parse, so, I try to parse some data.  Now the interesting thing is

  87. that the CTF data does encode sizes of integers, but it uses the native

  88. arch's pointer sizes for `CTF_K_POINTER` types, which means that pointers

  89. appear to be 8 bytes in size instead of the correct 4 bytes.  A little

  90. more hacking on the ctf.py script to force all pointers to be 4 bytes,

  91. and a little help to convert ddb output to a string and finally, I have

  92. a dump of the <code>struct&nbsp;vm_page</code> that I was trying to get all along:

  93. ```

  94. {'act_count': '\x00',

  95.  'aflags': '\x00',

  96.  'busy_lock': 1,

  97.  'dirty': '\xff',

  98.  'flags': 0,

  99.  'hold_count': 0,

  100.  'listq': {'tqe_next': 0xc0805e00, 'tqe_prev': 0xc06d18a0},

  101.  'md': {'pv_kva': 3235856384,

  102.         'pv_list': {'tqh_first': 0x0, 'tqh_last': 0xc0805de0},

  103.         'pv_memattr': '\x00',

  104.         'pvh_attrs': 0},

  105.  'object': 0xc06d1878,

  106.  'oflags': '\x04',

  107.  'order': '\t',

  108.  'phys_addr': 17776640,

  109.  'pindex': 3572,

  110.  'plinks': {'memguard': {'p': 0, 'v': 3228376932},

  111.             'q': {'tqe_next': 0x0, 'tqe_prev': 0xc06d1f64},

  112.             's': {'pv': 0xc06d1f64, 'ss': {'sle_next': 0x0}}},

  113.  'pool': '\x00',

  114.  'queue': '\xff',

  115.  'segind': '\x01',

  116.  'valid': '\xff',

  117.  'wire_count': 1}

  118. ```

  119. 

  120. So, the above was produced w/ the final [ctf.py](https://www.funkthat.com/~jmg/ctf.py) script.